February 6, 2017

Who doesn’t need antivirus?

Security

Recently Robert O’Callahan, who used to be a Firefox developer, published a provocative opinion stating that people should delete their antivirus protection because the basic security that operating systems provide is sufficient.

Let’s analyze his claims and debunk a couple of myths.

No antivirus required?

Everyone acknowledges the abundance of malware today. It’s not someone else’s problem in some distant country; it’s everywhere. According to Kaspersky Lab, in 2016, 31.9% of computers were attacked at least once.

In 2016, Kaspersky Lab solutions repelled 758,044,650 attacks launched from online resources located all over the world. Web antivirus components recognized 261,774,932 unique URLs as malicious and detected 69,277,289 unique malicious objects (scripts, exploits, executables, etc.). Encryptors targeted 1,445,434 computers of unique users. Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 2,871,965 devices.
You can read a more detailed report here.

Of course, responsible users follow general security recommendations and minimize their risk: They update their operating system and software promptly, visit only trusted websites, never open suspicious attachments or click on suspicious links (even those sent by friends and colleagues), and so forth.

These users indeed run lower risks of getting their devices infected. Of course, hacks of popular Web resources and critical vulnerabilities in popular software are common, but not frequent enough to significantly raise the chances of an experienced user getting infected.

Yet, the majority of Internet users, both end users and organizations, want to be a bit more relaxed and carefree. They just want to live their digital lives. They want to be able to click on a link their mom sent. They want their software to update automatically and without hassle. They want to check out a website their friends told them about. They are keen to explore the digital world. At work, they want to be able to open a CV sent by a candidate (who is, in almost all cases, a person unknown to anyone in the organization).

If you’re one of those very responsible users, then good for you — really, we applaud your effort — but most people still need extra protection. And making average users more confident in their carelessness doesn’t make them better protected.

I agree that digital hygiene — responsible behavior — is the most efficient means of protection. That’s why we spend so much time educating users. But imagine we are talking about your child or parent, or great-grandparent. Do they know how to be responsible online?

Antivirus is crucial, like seat belts or airbags. If you never actually need them, that’s great. But when you do need them, there’s no warning, and they can be the thing that saves you.

Is malware really so bad?

Some users might ask: “Well, if my computer gets infected, so what? No one will die. I don’t do my banking online, I don’t use credit cards online, and I don’t have any secrets anyone would care about.”

Well, there’s quite a variety of malicious programs. Some just spy on you to collect your preferences and then use this data for targeted advertising; some click URLs on your behalf to boost a number of visits to a website; some attack remote servers, using your computer as a base for the attack, which can bring the police to your door, by the way. Some Trojans discreetly turn on your webcam.

Still OK with leaving your computer and devices unprotected? Now imagine this: One click on an attachment or link sent by a friend and all of your data is encrypted and held for ransom. You lose access to everything: your wedding album, photos of your kids, some very personal photos; your documents, including agreements, your will, the novel you have been writing for half of your life; everything! Even cloud storage like Dropbox that automatically syncs and backs up your files wouldn’t necessarily solve the problem. The chances are good that your locally encrypted files will overwrite the backed-up cloud versions.

Of course, with ransomware you can try paying the ransom. It might work. You might, for about $200, get your files back. Or maybe not: Our studies show that in one in five cases it won’t happen.

Is Windows 10’s antivirus enough?

But let’s get back to our friend. On the one hand, O’Callahan claims antivirus is not necessary anymore, yet on the other hand, he suggests that the default operating system antivirus should be enabled.

It’s hard to say whether he is admitting that protection is still needed or he just considers all security solutions equal. If it’s the latter, this IT expert should learn more about information security. Antivirus solutions vary greatly in terms of quality of protection, impact on system performance, and false positives.

User approval can tell you something about a product’s effectiveness, but not that much. That’s why antivirus products are also tested by independent labs and get awards for great performance and results. Here’s one example that should interest O’Callahan: our very own Kaspersky Internet Security, compared against Windows 10’s integrated security solution.

AV-Test benchmark comparing Kaspersky Internet Security and Windows 10 basic protection by Microsoft. Source.

As you can see, in terms of false positives (the “Usability” column) or impact on performance, Microsoft Windows Defender is not critically worse than Kaspersky Internet Security. But when it comes to the main parameter — protection — Windows Defender lags far behind: its result is 3 of 6 points, which speaks for itself.

Moreover, choosing one of the least-experienced players on the market as the “don’t need antivirus” antivirus is bewildering. Check out this picture, which shows who ended up in the top three the most times, based on 94 benchmarks and tests. See Microsoft’s dot?

The vertical axis represents a percentage of times when a security solution was in the top three. The horizontal axis represents a number of times a solution was benchmarked. The size of the circle represents a number of times a product was a No. 1 winner.

Why should antivirus be integrated with a browser?

O’Callahan also wonders why security solutions track browser activity, why they intercept and analyze traffic. He says that if not for “useless antiviruses,” browser developers would have built efficient protection on their own long ago.

Here I’d affirm that browser developers indeed work hard to minimize risks of critical vulnerabilities, and I’m sure they would feel much more free without antivirus hovering over browser processes.

Let me remind O’Callahan, however, that vulnerabilities represent an obvious attack vector for malware to infiltrate a user’s system — but it’s not the only one. A competitive security solution needs to protect against phishing, malicious scripts, inappropriate content, pervasive advertising, and online tracking while securing payments and at times preventing a user from willingly downloading and running malware. All of these threats are bound to browser activity, but a browser doesn’t protect against them — at least, not particularly well.

That’s why browser and antivirus should be tightly integrated. For Kaspersky Lab, compatibility and usability are just as important as they are for browser developers. That’s why we have a group of experts who proactively run compatibility tests and fix bugs as soon as browser beta versions are available for developers. When we find a problem, we proactively contact the developers.

Debunking a few more points

A few more general points are worth examining.

O’Callahan points out that one should apply OS and software patches to ensure protection. That’s correct; patches do mitigate the risk of infection through known vectors. We agree that updating is critically important, and that’s why we launched a new component in Kaspersky Internet Security 2017. It’s called Software Update, and it automates patching.

He also points out that antiviruses can have bugs and vulnerabilities. That’s true, but Kaspersky Lab handles these issues responsibly, and we have a Bug Bounty program that offers payments to researchers who manage to find vulnerabilities in our products.

Finally, O’Callahan says some antivirus programs impact system performance. That is true. But Kaspersky’s security solutions have a minimal impact on performance, which is confirmed by independent benchmark tests.

Source 1; Source 2; Source 3

A small conspiracy theory

There is another strange thing about the ex-Firefox employee’s emotional outpouring. He claims the company’s PR always hushed up his complaints about antivirus software to avoid revenge from security companies. But in the face of constantly voiced disapproval, I have never heard of any sanctions or counterattacks from any of his nemeses. I’m still unclear about what his fears are based upon.

Robert O’Callahan has criticized other software before. In 2010, he argued with Microsoft over the latter’s claims that Internet Explorer was the only browser supporting software acceleration. In 2013, he attacked Blink, Chrome’s then newest engine. In 2014, he called for a Chrome ban to prevent, he said, Google from monopolizing the Internet; and in 2017, he said all browser developers with the exception of Mozilla cared more about profits than their users.

Let’s look at the wider view. People have been pronouncing antivirus dead and unnecessary . Browser developers happen to be the latest group to try and nail the coffin shut. For example, Darren Bilby, a security engineer at Google, also recently stated that security software is “useless.”

I cannot know for sure — maybe antivirus programs do hinder browser developers’ efforts to make more money. After all, browsers are mostly free; they are monetized with contextual ads and other types of advertising. Antiviruses protect against undesirable advertising and user tracking . In other words, user protection conflicts with the interests of browser developers.

But let’s not make wild guesses. Our task is protecting against threats, so we’ll stick to that. That’s what we call True Cybersecurity.